All user accounts must have a publicly registered UPN that can be verified by Microsoft Intune. GoDaddy or Symantec are typical examples of companies that provide domain names.

Verify that users have a public domain UPN

Before synchronizing the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

You can create a Configuration Manager custom report to verify that the UPN of the users who are discovered is consistent with the Intune Account Portal by using the following SQL query:

SELECT UserPrincipalName,
COUNT(*) AS NumOfOccurances FROM (SELECT RIGHT(User_Principal_Name0,
LEN(User_Principal_Name0)-PATINDEX('%@%',
User_Principal_Name0)) AS UserPrincipalName FROM CM_EC1.dbo.v_R_User)
AS sub GROUP BY UserPrincipalName

Directory synchronization lets you populate Intune with synchronized user accounts. The synchronized user accounts and security groups are added to Intune. For more information, see Configure directory synchronization in the Active Directory documentation library.

Optional, not recommended: If you are not using AD FS, reset users’ Microsoft Online passwords

If you are not using AD FS, you must set a Microsoft Online password for each user.

Create a DNS alias

Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is Meliss@contoso.com, you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com.